This project has moved. For the latest updates, please go here.

VC's reputation harmed by lack of GPT & UEFI

Topics: Users Discussion
Dec 30, 2015 at 4:33 PM
In this ArsTechnica discussion a VeraCrypt advocate (not me, someone else) gets shot down by criticism of VeraCrypt's lack of GPT & UEFI support:

http://arstechnica.com/information-technology/2015/12/microsoft-may-have-your-encryption-key-heres-how-to-take-it-back/?comments=1&start=0

I'm pointing this out in order to ensure that we have a clear understanding of VeraCrypt's current reputation; Ars Technica's user community is full of tech experts whose opinions often influence many others.
Dec 30, 2015 at 10:05 PM
Edited Dec 30, 2015 at 10:07 PM
NSA will always want to harm everything which is not under their control... Correct me if I'm wrong, but you can use MBR formatted system disk (or even better SSD disk), which you can encrypt at boot, and second data disk, which you can format using GPT, which should work with VC. Or use more 2TB MBR partitions. What is the benefit of UEFI anyway (except you don't know what's happening behind the scenes)? I'd rather have a keyboard shortcut for PIM, which is much easier to implement ;-)
Coordinator
Dec 31, 2015 at 12:03 AM
Thank you @commenter8 for sharing the link.

What is the point of criticizing VeraCrypt lack of UEFI support? As if it was something that can be implemented overnight. Those tech experts can better spend their time help getting it implemented or spread the word to get expert developers contribute because as of today there is no open source UEFI disk encryption for Windows.

I don't earn my living on disk encryption business but many of these experts do and they definitely don't want VeraCrypt to have such feature: it will simply destroy a multi-million dollars business. That's why it is not in their interest to help VeraCrypt...

UEFI support is still on the agenda but if we want to include it in VeraCrypt in the near future we definitely would need funding to advance more quickly and pay for full time work on it.
Recently, I have been in contact with OSTIF (ostif.org) which included VeraCrypt in their crowdfunding compaign but unfortunately it looks like this is something that doesn't attract a lot of interest.

Of course, technical users like @testoslav will always be able to convert their system disk to use MBR and encrypt Windows using VeraCrypt but this is too complex for the average user who need to use VeraCrypt out of the box.
Moreover, UEFI has the theoretical benefit of enabling "secure boot" but requires the bootloader to be signed by Microsoft...and this is not something easy and a lot of paper work is involved (an example is described here).

Anyway, there will be always those who will attack VeraCrypt reputation a for what ever reason but this will not affect the life of the project. My only hope is that developers will be clever enough to not be deterred from looking at the code and contributing on Windows code.
Dec 31, 2015 at 2:59 PM
Edited Dec 31, 2015 at 3:00 PM
idrassi wrote:
Anyway, there will be always those who will attack VeraCrypt reputation a for what ever reason but this will not affect the life of the project. My only hope is that developers will be clever enough to not be deterred from looking at the code and contributing on Windows code.
Hello idrassi, I dont know whether you realize how far you and VC have gone by now.... I have been actively using encryption and encryption related software for about 25 years now and i can state that you are now the most respected encryption product developer (for the masses) for all times since computers exist commercially.... many products have come and then either vanished or became untrustworthy... PGP 2.XX (Phil Zimmermann) sold the whole idea to the big guys, Jetico... now very commercial, Securstar/Drivecrypt, SafeHouse, Free OTF.... vanished, DiskCryptor.... not quite maintained....... and of course TrueCrypt, the only one that stayed for almost an eternity.... but from unknown authors...... So idrassi, be on alert, the "World" now doesnt like encryption, shall we go back to the max 40 bit key legal requirement or something more evil.... nobody knows.....

Or will VC be simply discredited? And of course not by the lack of support for UEFI.... Encryption is an unknown minefield.... let someone just shout "there are mines" or rather "VC is weak and broken and backdoor-ed and compromised".... then this will be a serious hit..... Imagine someone tells you the bread you brought yesterday from your supermarket is poisoned, are you going to eat it? Especially if you didnt buy it, but got it for free ? :)
Coordinator
Jan 1, 2016 at 11:30 AM
First happy new year to all with all my best wishes.

Thank you @Alex512 for your kind words although I don't think I deserve to be compared to such big names.

Indeed things are becoming very "hot" on the encryption front these days and anything can be expected from those willing to stop its use. Spreading rumors or false accusations is one tactic and it is part of psychological warfare that is used everyday by many entities around the world. The example you gave is a good illustration of such techniques and of course it is difficult to protect against.
That being said, the strength of VeraCrypt (and TrueCrypt before it) comes from the knowledge it carries and not the software itself. So even if VC is brought down, I'm confident that there will always be someone that will carry on the work and make VC/TC legacy grow even more.

Knowledge is power, ignorance is curse!
Knowledge paves the way to freedom, ignorance is a road to slavery!
Jan 1, 2016 at 4:23 PM
Happy New year Mounir !

Thank you for another year of VeraCrypt.

Every couple of days I nervously open the VeraCrypt codeplex page fearing it may have been taken down by the powers that be.

VeraCrypt is too good for them to ignore, it was a small secret between a few paranoid users now it is the best, most loved disk encryption program on the internet.

I cannot thank you enough for your work Mounir, without you many of us would be stuck with the outdated TrueCrypt. You have provided a very secure and professional encryption product. Your attention to detail and work output is to be admired, many commercial products could learn from you with regards to product support.

I feel guilty about the lack of support you receive, financially and contributed code. I want to emphasise the possible positive view to explain it so you don't become discouraged, so here goes.

The complaints about GPT & UEFI support.

When people complain, criticise or generally moan about free tools it annoys me. However I discovered some time ago that sometimes the most critical of comments is born out of frustration and a deep willingness for the product to do well. It's rather like someone cheering their team on and shouting out things they probably don't mean in a moment of over enthusiasm. So please forgive them.

Money.

I do think many people would like to give to you but they are afraid of being linked to an encryption program. This may sound silly but encryption is portrayed as bad or used only by bad people in the media. If you ask the general public they mostly think it is used by bad people, which is a shame. People will be frightened to have their credit cards linked to you or VeraCrypt. Many security minded people do not like to use on-line payment methods now anyway. So please don't see the lack of funds as people not valuing VeraCrypt, it's just some are scared. I wish we could fund you for 1 month of your time, just imagine the progress you could make.


My personal opinion on GPT & UEFI support.

As much as I would like to see VeraCrypt support this I understand it would involve a lot of time. I suggest you leave it for now and finish off all the smaller feature requests, ones which do not take too long to implement but add great functionality to the user experience. You seem to jump on bugs the moment you find them which is awesome and how it should be.

By taking on some of the easier requests, VeraCrypt will appear to be moving on rapidly and instil confidence in the products development. Hopefully as you press on more people will be more likely to join in and also contribute.

In productivity, you stand alone Mounir, as hope for us less skilled or less intelligent paranoid users. The lack of helpful support you receive is no indication of most peoples thoughts. There are many well wishers, people who rely on you and those who think you are the coolest and most generous guy on the net. You are an encryption rock star !

I wish you and your family a great 2016 and many more years to come.

Thank you very much.



PS

I don't mind filling out a capcha but please can it be readable ??? :) The photograph ones are ok but the wobbly text ones are so difficult to read.
Jan 1, 2016 at 5:23 PM
Happy new year to everyone and Mounir especially ;-) I could not agree more with everything above.

@DBKray: money issue - Mounir accepts bitcoin, so it is possible to donate quite anonymously. I'd welcome an option of mailing an envelope with money, because it's very easy ;-) Captcha issue - use the reload icon for better captcha ;-)

@Alex512: I'd still prefer consuming bread with known ingredients from Mounir than another with secret recipe baked by NSA compliant company ;-)
May 10, 2016 at 10:15 AM
So some people want UEFI support in DC ("Do you want a pipeline to NSA with that ?" ;)).

http://www.zdnet.com/article/microsoft-hit-with-competition-complaint-over-windows-8-uefi-secure-boot/#!
http://www.theregister.co.uk/2012/09/19/win8_rootkit/

dikcryptor users are seems happy that sutch feature is absent.
May 10, 2016 at 11:12 AM
Bitcoin is not that anonymous, it has full transaction logs. The ATO (Australian Taxation Office) treats BTC as an asset, so subject to capital gains tax. Other authorities have their own ideas.

MBR support is fine, unless you need to migrate a fully working UEFI installation and keep it fully functional as it was. UEFI support is welcome and is part of the 1.18 beta I believe, so it is moving in the right direction to support.

SSD installs.... fraught with danger, a little anyway. Yes, I understand that if you perform a clean installation of Windows on a brand new and otherwise unused SSD before you add anything that might be personally identifiable or sensitive and you then encrypt the drive, well at that stage, then you are pretty much safe. SSDs, not that much unlike traditional HDDs have their own methods for writing data to disk and /hiding/ possible disk faults; when you write data, it goes to a logical location on the disk for which the controller is responsible for -- it may relocate that data at any time it likes if it thinks the area of the disk is suspect; but you read the data from it's logical location and you get the data as best the drive can provide it. Another issue with SSDs is that if you use any wipe methods, you can be far less sure that the wipe is taking place at the same physical disk location.

VC is great, it was based very much on TC -- much better to have someone whom is known, rather than a bunch of one or more devs that were unknown.

Thank you Mounir, your work is very much appreciated.
May 12, 2016 at 9:40 AM
Edited May 12, 2016 at 9:41 AM
You can install to SSD encrypted from the start. Before you even install windows or anything else. Or before you put a single file on SSD.
  1. Install and encrypt on HDD. Make sure partition will fit to SSD.
  2. Make sure to use partition alignment as SSD manufacturer recommendations.
  3. Clone the RAW (encrypted) partition to SSD. You can use http://www.hddguru.com/software/HDD-Raw-Copy-Tool/
Never decrypt your SSD. Never change partition size etc.

That's it.
May 12, 2016 at 9:49 AM
Regarding the VC and SSD's well the speed is 2x slower if you are unlucky and ~70% is you have everything correct. The encrypted volumes are random data if you look outside the OS, but a bootloader can be found so the adversary will know VC is being used. No SSD optimizations makes it slow.
AFAIK TRIM does not work either, at least on non system volumes TRIM does not work for sure that degrades the Flash media.


With Diskcryptor as far as I know volumes are random data if you move bootloader to external media. So adversary will know nothing why disk is random data.
plausible deniability is that simple.

To make this work Diskcryptor needs TRIM optimizations OFF. Else zeroes gets written to SSD and data does not look random.
May 15, 2016 at 10:21 AM
@SDXC is that tool any different to plain old Linux dd ?